How to try to stop DDoS Attacks

You can't stop them, but you can try to lessen their damage. Here's how.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Happy holidays! Your Web server just died! I use the word 'try' very deliberately in my title. The truth of the matter is that there isn't a damn thing you can do that will stop a serious distributed denial of service (DDoS) attack. There are though some ways to try to deal with them.

Mind you, there is actually is a way that would put an end to most DDoS attacks. It requires that all Windows-based botnets be ripped out by the roots. Too bad, that's not going to happen.

Windows is insecure by design and used by hundreds of millions and many of those users wouldn't know an anti-virus program from Angry Birds. Millions of Windows computers, including maybe yours, are slave labor in one of the various botnets. Since we're not going to be rid of Windows anytime soon and it's not going to get any safer, the reality is that botnet-powered, brute-force DDoS attacks are only going to continue.

Actually, that's not true. I think DDoS attacks are actually going more and more often. Here are some ways to mitigate them.

Some kinds of DDoS attacks are less common than they used to be. As Sean Donelan, program manager of network and infrastructure security at the Department of Homeland Security noted in an e-mail message on the North American Network Operators Group (NANOG), a group devoted to backbone and enterprise networking, mailing list, "SMURF attacks creating a DDoS from directed broadcast replies seems to have been mostly mitigated by changing defaults in major router OS's. TCP SYN attacks creating a DDOS from leaving many half-open connections seems to have been mostly mitigated with SYN Cookies or similar OS changes."

In short, if you update your gateway servers, switches, and firewalls to their most recent operating systems you should be protected from attacks that rely on TCP/IP and TCP/IP stack implementation weaknesses. You should have been doing this along. If you haven't been, run, don't walk, to your server room and update your systems.

Still, if someone really wants you to smack your Web site around, there's not a lot you can do. As Jonas Frey, owner of Probe Networks, a Germany networking security company wrote on the same list there's not much you can do about a DDoS attack except try to have a lot of bandwidth. "Even if you go for 802.3ba with 40/100 Gbps [Gigabits per second] you'll need a lot of pipes."

That's because, Frey explained, "Nowadays the consumers have a lot more bandwidth and it's easier than ever to setup your own botnet by infecting users with malware and alike. Even though end users usually have less than 2Mbps [Megabits per second] upstream the pure amount of infected users makes it worse than ever." If you count on Windows users using proper security, but you can't. As Frey pointed out, "There is just no patch for human stupidity."

What this means is that you need all the bandwidth you can get for your Web servers. If your Web servers live at a Web hosting company, check in and see just much connectivity they have to major Internet backbones. If they reply on only one or two backbones providers and/or their pipes aren't that big, I'd go looking for another one. When it comes to dealing with DDoS attacks, there's no such thing as enough bandwidth.

Page 2: [Anycast and Load Sharing] »

Anycast and Load Sharing

If your company has Web sites co-hosted at several locations one thing you can do that will help is to use anycast and Multi-cast Source Discovery Protocol (MSDP).

Anycast is a networking technique where the same IP prefix is advertised from multiple Internet locations. What that means in English is that multiple servers for a single domain share the same IP address.

Here's what happens when a DDoS attack comes along on a properly set-up anycast Web site. A Web page request comes in, and the network switch checks to see if the closest, in terms of network distance, server is alive and well. If it's not, due to a DDoS attack, anycast will automatically send the Web request along to the next, hopefully, healthy server. So, if you have servers at say New York, San Francisco, and London, and an attack is coming from a U.S. East coast-based botnet, the load from the attack is automatically shared with the other sites.

Anycast, or any other distributed load-sharing technology, doesn't provide perfect protection. A big enough DDoS assault will topple all your anycast, or any other distributed network servers, like a row of dominoes. That's not good.

There are companies like Arbor Networks, BlockDOS, and ServerOrigin that offer DDoS protection services, but none of them are offering perfect defenses.

What many DDoS protection companies, like BlockDOS and ServerOrigin, are just doing is they're just offering distributed server hosting with anycast or other techniques to provide failover server protection. If you don't have expert network administrators or a Web hosting company with multiple hosting farms, that may be exactly what you need. Arbor offers real-time, network analysis servers so you can see DDoS storms coming and then take defensive measures with their help.

No, for now, at least, we're stuck with trying to make the best we can of a bad Internet situation. As Arbor Networks' solutions architect, Roland Dobbins wrote on the NANOG mailing list,"DDoS is just a symptom. The problem is botnets." And, that problem isn't going away anytime soon.

Editorial standards